| 1 | /* $NetBSD: postscreen.c,v 1.2 2017/02/14 01:16:47 christos Exp $ */ |
| 2 | |
| 3 | /*++ |
| 4 | /* NAME |
| 5 | /* postscreen 8 |
| 6 | /* SUMMARY |
| 7 | /* Postfix zombie blocker |
| 8 | /* SYNOPSIS |
| 9 | /* \fBpostscreen\fR [generic Postfix daemon options] |
| 10 | /* DESCRIPTION |
| 11 | /* The Postfix \fBpostscreen\fR(8) server provides additional |
| 12 | /* protection against mail server overload. One \fBpostscreen\fR(8) |
| 13 | /* process handles multiple inbound SMTP connections, and decides |
| 14 | /* which clients may talk to a Postfix SMTP server process. |
| 15 | /* By keeping spambots away, \fBpostscreen\fR(8) leaves more |
| 16 | /* SMTP server processes available for legitimate clients, and |
| 17 | /* delays the onset of server overload conditions. |
| 18 | /* |
| 19 | /* This program should not be used on SMTP ports that receive |
| 20 | /* mail from end-user clients (MUAs). In a typical deployment, |
| 21 | /* \fBpostscreen\fR(8) handles the MX service on TCP port 25, |
| 22 | /* while MUA clients submit mail via the \fBsubmission\fR |
| 23 | /* service on TCP port 587 which requires client authentication. |
| 24 | /* Alternatively, a site could set up a dedicated, non-postscreen, |
| 25 | /* "port 25" server that provides \fBsubmission\fR service and |
| 26 | /* client authentication, but no MX service. |
| 27 | /* |
| 28 | /* \fBpostscreen\fR(8) maintains a temporary whitelist for |
| 29 | /* clients that have passed a number of tests. When an SMTP |
| 30 | /* client IP address is whitelisted, \fBpostscreen\fR(8) hands |
| 31 | /* off the connection immediately to a Postfix SMTP server |
| 32 | /* process. This minimizes the overhead for legitimate mail. |
| 33 | /* |
| 34 | /* By default, \fBpostscreen\fR(8) logs statistics and hands |
| 35 | /* off each connection to a Postfix SMTP server process, while |
| 36 | /* excluding clients in mynetworks from all tests (primarily, |
| 37 | /* to avoid problems with non-standard SMTP implementations |
| 38 | /* in network appliances). This default mode blocks no clients, |
| 39 | /* and is useful for non-destructive testing. |
| 40 | /* |
| 41 | /* In a typical production setting, \fBpostscreen\fR(8) is |
| 42 | /* configured to reject mail from clients that fail one or |
| 43 | /* more tests. \fBpostscreen\fR(8) logs rejected mail with the |
| 44 | /* client address, helo, sender and recipient information. |
| 45 | /* |
| 46 | /* \fBpostscreen\fR(8) is not an SMTP proxy; this is intentional. |
| 47 | /* The purpose is to keep spambots away from Postfix SMTP |
| 48 | /* server processes, while minimizing overhead for legitimate |
| 49 | /* traffic. |
| 50 | /* SECURITY |
| 51 | /* .ad |
| 52 | /* .fi |
| 53 | /* The \fBpostscreen\fR(8) server is moderately security-sensitive. |
| 54 | /* It talks to untrusted clients on the network. The process |
| 55 | /* can be run chrooted at fixed low privilege. |
| 56 | /* STANDARDS |
| 57 | /* RFC 821 (SMTP protocol) |
| 58 | /* RFC 1123 (Host requirements) |
| 59 | /* RFC 1652 (8bit-MIME transport) |
| 60 | /* RFC 1869 (SMTP service extensions) |
| 61 | /* RFC 1870 (Message Size Declaration) |
| 62 | /* RFC 1985 (ETRN command) |
| 63 | /* RFC 2034 (SMTP Enhanced Status Codes) |
| 64 | /* RFC 2821 (SMTP protocol) |
| 65 | /* Not: RFC 2920 (SMTP Pipelining) |
| 66 | /* RFC 3207 (STARTTLS command) |
| 67 | /* RFC 3461 (SMTP DSN Extension) |
| 68 | /* RFC 3463 (Enhanced Status Codes) |
| 69 | /* RFC 5321 (SMTP protocol, including multi-line 220 banners) |
| 70 | /* DIAGNOSTICS |
| 71 | /* Problems and transactions are logged to \fBsyslogd\fR(8). |
| 72 | /* BUGS |
| 73 | /* The \fBpostscreen\fR(8) built-in SMTP protocol engine |
| 74 | /* currently does not announce support for AUTH, XCLIENT or |
| 75 | /* XFORWARD. |
| 76 | /* If you need to make these services available |
| 77 | /* on port 25, then do not enable the optional "after 220 |
| 78 | /* server greeting" tests, and do not use DNSBLs that reject |
| 79 | /* traffic from dial-up and residential networks. |
| 80 | /* |
| 81 | /* The optional "after 220 server greeting" tests involve |
| 82 | /* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When |
| 83 | /* these tests succeed, \fBpostscreen\fR(8) adds the client |
| 84 | /* to the temporary whitelist, but it cannot hand off the |
| 85 | /* "live" connection to a Postfix SMTP server process in the |
| 86 | /* middle of a session. Instead, \fBpostscreen\fR(8) defers |
| 87 | /* attempts to deliver mail with a 4XX status, and waits for |
| 88 | /* the client to disconnect. When the client connects again, |
| 89 | /* \fBpostscreen\fR(8) will allow the client to talk to a |
| 90 | /* Postfix SMTP server process (provided that the whitelist |
| 91 | /* status has not expired). \fBpostscreen\fR(8) mitigates |
| 92 | /* the impact of this limitation by giving the "after 220 |
| 93 | /* server greeting" tests a long expiration time. |
| 94 | /* CONFIGURATION PARAMETERS |
| 95 | /* .ad |
| 96 | /* .fi |
| 97 | /* Changes to main.cf are not picked up automatically, as |
| 98 | /* \fBpostscreen\fR(8) processes may run for several hours. |
| 99 | /* Use the command "postfix reload" after a configuration |
| 100 | /* change. |
| 101 | /* |
| 102 | /* The text below provides only a parameter summary. See |
| 103 | /* \fBpostconf\fR(5) for more details including examples. |
| 104 | /* |
| 105 | /* NOTE: Some \fBpostscreen\fR(8) parameters implement |
| 106 | /* stress-dependent behavior. This is supported only when the |
| 107 | /* default parameter value is stress-dependent (that is, it |
| 108 | /* looks like ${stress?{X}:{Y}}, or it is the $\fIname\fR |
| 109 | /* of an smtpd parameter with a stress-dependent default). |
| 110 | /* Other parameters always evaluate as if the \fBstress\fR |
| 111 | /* parameter value is the empty string. |
| 112 | /* COMPATIBILITY CONTROLS |
| 113 | /* .ad |
| 114 | /* .fi |
| 115 | /* .IP "\fBpostscreen_command_filter ($smtpd_command_filter)\fR" |
| 116 | /* A mechanism to transform commands from remote SMTP clients. |
| 117 | /* .IP "\fBpostscreen_discard_ehlo_keyword_address_maps ($smtpd_discard_ehlo_keyword_address_maps)\fR" |
| 118 | /* Lookup tables, indexed by the remote SMTP client address, with |
| 119 | /* case insensitive lists of EHLO keywords (pipelining, starttls, auth, |
| 120 | /* etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO response |
| 121 | /* to a remote SMTP client. |
| 122 | /* .IP "\fBpostscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)\fR" |
| 123 | /* A case insensitive list of EHLO keywords (pipelining, starttls, |
| 124 | /* auth, etc.) that the \fBpostscreen\fR(8) server will not send in the EHLO |
| 125 | /* response to a remote SMTP client. |
| 126 | /* .PP |
| 127 | /* Available in Postfix version 3.1 and later: |
| 128 | /* .IP "\fBdns_ncache_ttl_fix_enable (no)\fR" |
| 129 | /* Enable a workaround for future libc incompatibility. |
| 130 | /* TROUBLE SHOOTING CONTROLS |
| 131 | /* .ad |
| 132 | /* .fi |
| 133 | /* .IP "\fBpostscreen_expansion_filter (see 'postconf -d' output)\fR" |
| 134 | /* List of characters that are permitted in postscreen_reject_footer |
| 135 | /* attribute expansions. |
| 136 | /* .IP "\fBpostscreen_reject_footer ($smtpd_reject_footer)\fR" |
| 137 | /* Optional information that is appended after a 4XX or 5XX |
| 138 | /* \fBpostscreen\fR(8) server |
| 139 | /* response. |
| 140 | /* .IP "\fBsoft_bounce (no)\fR" |
| 141 | /* Safety net to keep mail queued that would otherwise be returned to |
| 142 | /* the sender. |
| 143 | /* BEFORE-POSTSCREEN PROXY AGENT |
| 144 | /* .ad |
| 145 | /* .fi |
| 146 | /* Available in Postfix version 2.10 and later: |
| 147 | /* .IP "\fBpostscreen_upstream_proxy_protocol (empty)\fR" |
| 148 | /* The name of the proxy protocol used by an optional before-postscreen |
| 149 | /* proxy agent. |
| 150 | /* .IP "\fBpostscreen_upstream_proxy_timeout (5s)\fR" |
| 151 | /* The time limit for the proxy protocol specified with the |
| 152 | /* postscreen_upstream_proxy_protocol parameter. |
| 153 | /* PERMANENT WHITE/BLACKLIST TEST |
| 154 | /* .ad |
| 155 | /* .fi |
| 156 | /* This test is executed immediately after a remote SMTP client |
| 157 | /* connects. If a client is permanently whitelisted, the client |
| 158 | /* will be handed off immediately to a Postfix SMTP server |
| 159 | /* process. |
| 160 | /* .IP "\fBpostscreen_access_list (permit_mynetworks)\fR" |
| 161 | /* Permanent white/blacklist for remote SMTP client IP addresses. |
| 162 | /* .IP "\fBpostscreen_blacklist_action (ignore)\fR" |
| 163 | /* The action that \fBpostscreen\fR(8) takes when a remote SMTP client is |
| 164 | /* permanently blacklisted with the postscreen_access_list parameter. |
| 165 | /* MAIL EXCHANGER POLICY TESTS |
| 166 | /* .ad |
| 167 | /* .fi |
| 168 | /* When \fBpostscreen\fR(8) is configured to monitor all primary |
| 169 | /* and backup MX addresses, it can refuse to whitelist clients |
| 170 | /* that connect to a backup MX address only. For small sites, |
| 171 | /* this requires configuring primary and backup MX addresses |
| 172 | /* on the same MTA. Larger sites would have to share the |
| 173 | /* \fBpostscreen\fR(8) cache between primary and backup MTAs, |
| 174 | /* which would introduce a common point of failure. |
| 175 | /* .IP "\fBpostscreen_whitelist_interfaces (static:all)\fR" |
| 176 | /* A list of local \fBpostscreen\fR(8) server IP addresses where a |
| 177 | /* non-whitelisted remote SMTP client can obtain \fBpostscreen\fR(8)'s temporary |
| 178 | /* whitelist status. |
| 179 | /* BEFORE 220 GREETING TESTS |
| 180 | /* .ad |
| 181 | /* .fi |
| 182 | /* These tests are executed before the remote SMTP client |
| 183 | /* receives the "220 servername" greeting. If no tests remain |
| 184 | /* after the successful completion of this phase, the client |
| 185 | /* will be handed off immediately to a Postfix SMTP server |
| 186 | /* process. |
| 187 | /* .IP "\fBdnsblog_service_name (dnsblog)\fR" |
| 188 | /* The name of the \fBdnsblog\fR(8) service entry in master.cf. |
| 189 | /* .IP "\fBpostscreen_dnsbl_action (ignore)\fR" |
| 190 | /* The action that \fBpostscreen\fR(8) takes when a remote SMTP client's combined |
| 191 | /* DNSBL score is equal to or greater than a threshold (as defined |
| 192 | /* with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold |
| 193 | /* parameters). |
| 194 | /* .IP "\fBpostscreen_dnsbl_reply_map (empty)\fR" |
| 195 | /* A mapping from actual DNSBL domain name which includes a secret |
| 196 | /* password, to the DNSBL domain name that postscreen will reply with |
| 197 | /* when it rejects mail. |
| 198 | /* .IP "\fBpostscreen_dnsbl_sites (empty)\fR" |
| 199 | /* Optional list of DNS white/blacklist domains, filters and weight |
| 200 | /* factors. |
| 201 | /* .IP "\fBpostscreen_dnsbl_threshold (1)\fR" |
| 202 | /* The inclusive lower bound for blocking a remote SMTP client, based on |
| 203 | /* its combined DNSBL score as defined with the postscreen_dnsbl_sites |
| 204 | /* parameter. |
| 205 | /* .IP "\fBpostscreen_greet_action (ignore)\fR" |
| 206 | /* The action that \fBpostscreen\fR(8) takes when a remote SMTP client speaks |
| 207 | /* before its turn within the time specified with the postscreen_greet_wait |
| 208 | /* parameter. |
| 209 | /* .IP "\fBpostscreen_greet_banner ($smtpd_banner)\fR" |
| 210 | /* The \fItext\fR in the optional "220-\fItext\fR..." server |
| 211 | /* response that |
| 212 | /* \fBpostscreen\fR(8) sends ahead of the real Postfix SMTP server's "220 |
| 213 | /* text..." response, in an attempt to confuse bad SMTP clients so |
| 214 | /* that they speak before their turn (pre-greet). |
| 215 | /* .IP "\fBpostscreen_greet_wait (normal: 6s, overload: 2s)\fR" |
| 216 | /* The amount of time that \fBpostscreen\fR(8) will wait for an SMTP |
| 217 | /* client to send a command before its turn, and for DNS blocklist |
| 218 | /* lookup results to arrive (default: up to 2 seconds under stress, |
| 219 | /* up to 6 seconds otherwise). |
| 220 | /* .IP "\fBsmtpd_service_name (smtpd)\fR" |
| 221 | /* The internal service that \fBpostscreen\fR(8) hands off allowed |
| 222 | /* connections to. |
| 223 | /* .PP |
| 224 | /* Available in Postfix version 2.11 and later: |
| 225 | /* .IP "\fBpostscreen_dnsbl_whitelist_threshold (0)\fR" |
| 226 | /* Allow a remote SMTP client to skip "before" and "after 220 |
| 227 | /* greeting" protocol tests, based on its combined DNSBL score as |
| 228 | /* defined with the postscreen_dnsbl_sites parameter. |
| 229 | /* .PP |
| 230 | /* Available in Postfix version 3.0 and later: |
| 231 | /* .IP "\fBpostscreen_dnsbl_timeout (10s)\fR" |
| 232 | /* The time limit for DNSBL or DNSWL lookups. |
| 233 | /* AFTER 220 GREETING TESTS |
| 234 | /* .ad |
| 235 | /* .fi |
| 236 | /* These tests are executed after the remote SMTP client |
| 237 | /* receives the "220 servername" greeting. If a client passes |
| 238 | /* all tests during this phase, it will receive a 4XX response |
| 239 | /* to all RCPT TO commands. After the client reconnects, it |
| 240 | /* will be allowed to talk directly to a Postfix SMTP server |
| 241 | /* process. |
| 242 | /* .IP "\fBpostscreen_bare_newline_action (ignore)\fR" |
| 243 | /* The action that \fBpostscreen\fR(8) takes when a remote SMTP client sends |
| 244 | /* a bare newline character, that is, a newline not preceded by carriage |
| 245 | /* return. |
| 246 | /* .IP "\fBpostscreen_bare_newline_enable (no)\fR" |
| 247 | /* Enable "bare newline" SMTP protocol tests in the \fBpostscreen\fR(8) |
| 248 | /* server. |
| 249 | /* .IP "\fBpostscreen_disable_vrfy_command ($disable_vrfy_command)\fR" |
| 250 | /* Disable the SMTP VRFY command in the \fBpostscreen\fR(8) daemon. |
| 251 | /* .IP "\fBpostscreen_forbidden_commands ($smtpd_forbidden_commands)\fR" |
| 252 | /* List of commands that the \fBpostscreen\fR(8) server considers in |
| 253 | /* violation of the SMTP protocol. |
| 254 | |
|---|